WGE

Hey everyone! I'd like to introduce WGE (Web Governance Engine) - a high-performance Web Application Firewall library built with modern C++23 that our team has just open-sourced. WHY BUILD ANOTHER WAF? Existing WAF solutions often become performance bottlenecks when handling large-scale traffic. We discovered ModSecurity's limitations in high-concurrency scenarios within our commercial product, leading us to build a truly high-performance WAF engine from the ground up. PERFORMANCE NUMBERS DON'T LIE We conducted detailed benchmark tests (Intel i5-10400, 32GB RAM, Ubuntu 20.04, 8 threads): Test Case: CRS v4.3.0 without TCMalloc - ModSecurity: 4,010 QPS - WGE: 17,560 QPS - Performance Gain: 4.38x Test Case: CRS v4.3.0 with TCMalloc - ModSecurity: 4,927 QPS - WGE: 18,864 QPS - Performance Gain: 3.83x This isn't the result of micro-optimizations, but comprehensive optimization from architectural design to implementation details. TECHNICAL HIGHLIGHTS - Modern C++23: Leverages latest language features with zero-cost abstractions - OWASP CRS Compatible: Supports existing rule sets, low migration cost - Thread-Safe: True multi-threaded concurrent processing - Memory Efficient: Carefully designed memory management and object pooling - Easy Integration: Clean API design, integrates with just a few lines of code ARCHITECTURE DESIGN We rethought the core WAF architecture from the ground up: 1. Security Transform Engine: Uses Ragel state machines for security-critical transformations (HTML entity decoding, URL decoding, JS decoding, etc.) to prevent evasion attacks - more efficient and maintainable than hand-written state machines 2. Rules Engine: ANTLR4-driven rule parsing supporting complex conditional logic 3. Variable System: Efficient variable storage and access mechanisms 4. Operator Library: String matching and pattern recognition optimized for WAF scenarios REAL-WORLD APPLICATION WGE is already battle-tested in our commercial product Stone Rhino Web Governance Engine, handling large-scale production traffic. We're open-sourcing this to let more developers benefit from high-performance WAF technology. QUICK START // Create engine Wge::Engine engine(spdlog::level::off); // Load rules engine.loadFromFile("rules.conf"); engine.init(); // Process requests auto transaction = engine.makeTransaction(); transaction->processConnection(...); transaction->processUri(...); // ... other processing steps OPEN SOURCE COMMITMENT - MIT License: Commercial-friendly - Active Maintenance: Continuous feature updates and performance optimization - Community-Driven: Contributions and feedback welcome PROJECT INFO - GitHub: https://github.com/stone-rhino/wge - Documentation: Basic build instructions and usage examples (contributions welcome!) - Testing: Comprehensive unit tests and benchmarks included WHY CHOOSE WGE? 1. Performance: Handle 4x+ more traffic on the same hardware 2. Compatibility: Drop-in replacement for ModSecurity 3. Modern: C++23 brings both development efficiency and runtime performance 4. Production-Proven: Battle-tested in commercial environments at scale We believe high-performance security infrastructure should be open and accessible. WGE isn't just a faster ModSecurity replacement—it represents our thinking and practice on modern WAF architecture. Looking forward to hearing your thoughts and feedback! If you're seeking high-performance WAF solutions or interested in modern C++ applications in systems software, give WGE a try. --- The Stone Rhino Team